<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>
<body>
    <input type="text" id="web"><button id="add">添加图片</button>
    <div class="box"></div>
    <script src="/node_modules/jquery/dist/jquery.js"></script>
    <script>
        //不基于后端 DOM-Based 修改属性 插入内容 document.write...
        //改变解构后 会造成攻击
        //攻击内容 xss payload
        $('#add').on('click',function(){
            //    <img src="XXX" onerror="alert(1)" id="">
            //    转译输入的内容
            //    $('.box').html(`<img src="${$('#web').val()}">`)
            $('.box').html(`<img src="${encodeURI($('#web').val())}">`)
        })
    </script>
</body>
</html>